Permalink
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Browse files
Browse the repository at this point in the history
run: Don't allow chroot()
If we don't allow pivot_root() then there seems no reason why we should allow chroot(). Partially fixes GHSA-67h7-w3jq-vh4q. Signed-off-by: Simon McVittie <smcv@collabora.com>
- Loading branch information
462fca2There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Wouldn't that break Firefox and Chromium?
igo95862/bubblejail@977f941
When I added syscall filter to my sandbox I discovered that Firefox and Chromium do not work without chroot.
462fca2There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Comments on commits are not very discoverable within the Github UI, so they are not a good way to handle issue reporting. If you believe there is a bug in Flatpak, please report it as an issue.
When Firefox and Chromium are run as Flatpak apps, I believe they use the subsandboxing interface (flatpak-spawn) instead of making their own sandbox from first principles.
Flatpak cannot safely allow sandboxed Flatpak apps to
chroot(), because if they could do that, then they would be able tochroot()into a directory with their own crafted/.flatpak-info, leading to vulnerabilities similar to CVE-2021-41133.462fca2There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
In practice Flatpak apps will not have
CAP_SYS_CHROOT, so they should not be able tochroot()anyway, even before this commit.462fca2There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
It is not a bug in Flatpak.
I am developing my own sandbox solution inspired by Flatpak.
I was reading Flatpak CVEs to find if my sandbox is also vulnerable to same issues and found this commit.
I recently added syscall filter and blocking
chrootcaused both Firefox and Chromium to fail.I was wondering how Flatpak avoids same issue. I guess being a distribution platform on top of being a sandbox gives a privilege to patch software to better suit sandbox. My program has to settle with the distro provided binaries.